This package implements a HTCondor credential monitor (a "credmon") for the SciTokens project. The credential monitor allows users to generate tokens based on OAuth workflows or through the presence of a local private key accessible to the credmon.
NOTE We have not yet written installation routines for the credmon.
For now, check out the source code to a publicly-readable location such as
/var/lib/scitokens-credmon
Additionally, create the following directory:
/var/lib/condor/credential
and chmod
it to 0700.
After installation of the credmon binaries, the admin needs to inform HTCondor of the location of the credmon and that it should be run by default.
On the condor_schedd
host, add the following
to a configuration file in /etc/condor/config.d
or wherever the $CONDOR_CONFIG
variable
references:
# The credential producer invoked by `condor_submit`; causes the credd to be invoked
# prior to the job being submitted.
SEC_CREDENTIAL_PRODUCER = /var/lib/scitokens-credmon/bin/scitokens_credential_producer
SEC_CREDENTIAL_DIRECTORY = /var/lib/condor/credential
# PYTHONPATH only needs to be set if the credmon is not installed to system Python
SEC_CREDENTIAL_MONITOR_ENVIRONMENT = "PYTHONPATH=/var/lib/scitokens-credmon"
SEC_CREDENTIAL_MONITOR = /var/lib/scitokens-credmon/bin/condor_credmon
SEC_CREDENTIAL_MONITOR_LOG = /var/log/condor/CredmonLog
DAEMON_LIST = $(DAEMON_LIST), CREDD, SEC_CREDENTIAL_MONITOR
Further, on the condor execute hosts, add:
STARTER.CREDD_OAUTH_MODE = TRUE
# NOTE: credd will refuse to transfer tokens on a non-encrypted link.
SEC_DEFAULT_ENCRYPTION=REQUIRED
In the "local mode", the credmon will use a provided private key to sign a SciToken directly, bypassing any OAuth callout. This is useful in the case where the admin wants a less-complex setup than a full OAuth deployment.
To setup the local credmon mode, the following configuration directives are mandatory
# Path to the private keyfile
LOCAL_CREDMON_PRIVATE_KEY = /etc/condor/scitokens_ec_private.key
# Each key must have a name that relying parties can look up.
LOCAL_CREDMON_PRIVATE_KEY_ID = key-es356
# The issuer location; relying parties will need to be able to access this issuer to
# download the corresponding public key.
LOCAL_CREDMON_ISSUER = https://demo.scitokens.org
Additionally, the following may be customized
# The authorizations given to the token. Should be of the form `authz:path` and
# space-separated for multiple authorizations. The token `{username}` will be
# expanded with the user's Unix username.
# LOCAL_CREDMON_AUTHZ_TEMPLATE = read:/user/{username} write:/user/{username}
# The lifetime, in seconds, for a new token. The credmon will continuously renew
# credentials on the submit-side.
LOCAL_CREDMON_TOKEN_LIFETIME = 1200